pre-authentication attacks
Ben H
bhendin at gmail.com
Wed May 14 15:17:55 EDT 2014
I was reading up a bit on the history of pre-authentication after hearing a
speaker I generally put all faith into mention something about pre-auth
which I didn't think was accurate (namely that's its use was to help
determine available encryption types...something which I can find no
evidence of).
In any event, my understanding is that pre-auth is used to prevent an
entity from requesting a TGT without credentials and therefore not being
able to brute force the encryption.
However, there are tools out there which are able to also perform
brute-force attacks against the pre-auth timestamp. In order to do this
however, it would require the ability to listen on the wire between a
client and a KDC. Something that may be trivial in certain circumstances
(compromising a single application box could provide a sniff of all users
authenticating to the KDC).
That being said, assuming that all traffic to the KDC is encrypted,
pre-authentication would seem to be superior as I can't request a ticket
without credentials from an insecure location. If however, we assume that
all traffic between a client and a KDC may be compromised, is
pre-authentication superior?
We don't even need to make repeated attempts for a pre-auth required, we
simply need to listen on the wire for when user's authenticate.
Isn't a known entity like a UTC timestamp eaiser to brute force against
than the encrypted TGT?
More information about the Kerberos
mailing list